Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks
-
Upload
donna-russo -
Category
Documents
-
view
40 -
download
0
description
Transcript of Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks
![Page 1: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/1.jpg)
Evaluating the Vulnerability of Network Mechanisms
to Sophisticated DDoS Attacks
Udi Ben-PoratTel-Aviv University,
Israel
Anat Bremler-BarrIDC Herzliya, Israel
Hanoch LevyETH Zurich, Switzerland
![Page 2: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/2.jpg)
Why are the systems so vulnerable ?
Computer and network systems have been designed under the assumption that each user aims at maximizing his own performance
But in "DDoS environment" - some users aim to degrade the performance of other users.
Current Status: Protocols and systems are quite vulnerable in DDOS environment
In Crypto terminology we count "Alice" and "Bob“ and forgot “Eve” the evil adversary
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 2
![Page 3: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/3.jpg)
Distributed Denial of Service (DDoS): Consume the servers/network resources
Zombies
DDoS: Attacker adds users/queries zombies to flood a server
Attacker
3U. Ben-Porat / A. Bremler / H.
Levy Infocom 2008
![Page 4: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/4.jpg)
Sophisticated DDoS Attack
Sophisticated DDoS:Goal: Create maximal damage with limited budget
Damage – Performance degradation Increase errors rate, average delay etc.
Budget – Amount of operations/access allowed
Motivation: Reduce the (efforts and) cost of the attack Make the attack hard to detect Allow attacks on limited access servers
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 4
![Page 5: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/5.jpg)
Sophisticated Attacks Examples Simple example: Database server
Make hard queries, avoid cache Goal: consume CPU time
Sophisticated attacks in the research: TCP
[TCP] Low-Rate TCP-Targeted Denial of Service AttacksA. Kuzmanovic and E.W.Knightly Sigcomm 2003
Opeh Hash [OH] Denial of Service via Algorithmic Complexity
AttacksScott A. Crosby and Dan S. Wallach Usenix 2003
Admission Control [RoQ] Reduction of Quality (RoQ) Attacks on Internet
End-Systems Mina Guirguis, Azer Bestavros, Ibrahim Matta and Yuting Zhang Infocom 2005
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 5
![Page 6: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/6.jpg)
6
Study Objective Propose a DDoS Vulnerability performance metric
Vulnerability Measure To be used in addition to traditional system performance
metrics Understanding the vulnerability of different
systems to sophisticated attacks
This Talk Describe DDoS Vulnerability performance metric Demonstrate metric impact
Hash Table: Very Common in networking Performance (traditional) : OPEN equivalent CLOSED Vulnerability analysis: OPEN is better than
CLOSED!!U. Ben-Porat / A. Bremler / H.
Levy Infocom 2008 6
![Page 7: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/7.jpg)
Distributed Denial of Service (DDoS)
Attacker adds more regular users Loading the server - degrading server performance
Server Performance
Server
Attacker
NormalDDoS S. DDoS
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 7
![Page 8: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/8.jpg)
Sophisticated DDoS
NormalDDoS S. DDoS
Server Performance
Server
Attacker
Attacker adds sophisticated malicious users Each user creates maximal damage (per attack budget)
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 8
![Page 9: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/9.jpg)
Vulnerability Factor Definition
Vulnerability=v means: In terms of performance degradation 1 malicious user equals v regular users
Performance
Degradation
Scales
c),ce(RegularΔPerformanc),usce(MalicioΔPerformanmaxc)ity(CostVulnerabil st
st
(st = Malicious Strategy) 9U. Ben-Porat / A. Bremler / H.
Levy Infocom 2008
![Page 10: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/10.jpg)
Vulnerability Factor – example
Example: vulnerability of server serving N users:
Vulnerability(k): = 20% / 5% = 4 When allowing k additional users to this system (in
an hostile environment), we should be prepared for performance degradation 4 times worse than the expected
Attack Type:Add k regular users Add k malicious users
Performance Degradation:5%20%
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 11
![Page 11: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/11.jpg)
Demonstration of Vulnerability metric: Attack on Hash Tables
Hash table is a data structure based on Hash function and an array of buckets.
Central component in networks
Operations: Insert, Search and Delete of elements according to their keys.
key
Insert (element) Buckets
Hash(key)
User Server
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 12
![Page 12: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/12.jpg)
13
Hash Tables
Bucket = one element
Collision-> the array is repeatedly probed until an empty bucket is found
Bucket = list of elements that were hashed to that bucket
Open Hash Closed Hash
Insertion verifies the element does not already exists
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 13
![Page 13: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/13.jpg)
Open vs. Closed In Attack vulnerability:
While attack is on: Attacker’s operations are CPU intensive CPU loaded
Post Attack vulnerability : Loaded Table insert/delete/search op’s suffer
Vulnerability: OPEN vs. CLOSEDPerformance metrics: OPEN = CLOSED*
What about Vulnerability? OPEN = CLOSED? (* when the buckets array of closed hash is twice bigger)
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 14
![Page 14: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/14.jpg)
Attacker strategy (InsStrategy) Strategy:
Insert k elements (cost=budget=k) where all elements hash into the same bucket ( )
Theorem: InsStrategy is Optimal For both In Attack and Post Attack
Closed Hash:Cluster
Open Hash: One long list of elements
Attack Results
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 15
![Page 15: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/15.jpg)
Analytic Results We compare the vulnerability of the Open and
Closed Hash using analysis of the Vulnerability (probability + combinatory analysis)
Common approach: Open Hash table with M buckets is performance-wise equivalent to a Closed Hash table with 2M buckets.
We present graph: M = 500 and k = N, i.e., The additional users (k) double the number of values in
the table.
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 17
![Page 16: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/16.jpg)
In Attack: CPU ConsumptionIn every malicious insertion, the server has to traverse all previous inserted elements (+ some existing elements)
Open Hash Closed Hash
Analytic results:Open Hash:Open Hash:
Closed Hash:Closed Hash:
V=
V=
Elements (k)
V ~ K/2
Malicious insertion ~ K/2Regular insertion ~ O(1)Vulnerability ~ K/2
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 18
![Page 17: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/17.jpg)
Post Attack: Operation Complexity
Open Hash Closed Hash
Elements
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 19
![Page 18: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/18.jpg)
Post Attack: account for queuing Queue holds the requests for the server Waiting Time = (X= service time) Vulnerability of the (post attack)
Waiting Time? Hash Table
Server
Request
))(1(2)( 2
XEXE
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 22
![Page 19: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/19.jpg)
Post Attack Waiting Time
Open Hash:Open Hash:Vulnerable !! While in the model of Post Attack Operation Complexity the Open Hash is not Vulnerable !
Closed Hash: Closed Hash: Drastically more vulnerable:Clusters increase the second moment of the service time
Queue becomes unstable
Stability Point
Elements
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 23
![Page 20: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/20.jpg)
Practical Considerations
In hostile environments one can no longer follow the simple approach of relying only on complexity based rules of operations in order to comply with the performance requirements of a system.
For example, based on traditional performance double the size of the Closed Hash table (rehashing) when the table reaches 70¡80% load.
In a hostile environment the rehashing must be done much earlier (in the previous example at 48% load the Closed Hash is no longer stable).
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 25
![Page 21: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/21.jpg)
Conclusions Closed Hash is much more vulnerable to
sophisticated DDoS than Open Hash In contrast: the two systems are considered
equivalent via traditional performance evaluation.
After attack ends, regular users still suffer from performance degradation
Application using Hash in the Internet, where there is a queue before the hash, has high vulnerability.
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 26
![Page 22: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/22.jpg)
Related Work [RoQ] Attack measurement: Potency
Potency measure specific attack Vulnerability measures the system
Meaningless without additional numbers Vulnerability is meaningful comparable information based on this number alone
[OH] Studies attack only on Open Hash. Our work is comparing Closed to Open Hash, also
analyzing the post attack performance degradation
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 27
![Page 23: Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks](https://reader031.fdocuments.us/reader031/viewer/2022020422/56812ee7550346895d948367/html5/thumbnails/23.jpg)
Questions?
U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 28